Key Takeaways
- Gulf Cooperation Council banks' prioritization of cyber risk has driven investment in infrastructure and systems that underpins effective threat management and likely contributed to no reports of cyber attacks with a meaningful financial impact over the past two years.
- Regional banks' strong profitability, capitalization, and liquidity provides a robust financial buffer against potential losses from cyber incidents.
- S&P Global Ratings sees evidence of a continued focus on cyber risk at both board and senior management levels, based on both public disclosures and private conversations, and support in the form of new initiatives from regional regulators.
Cyber risk is a growing threat to the operations and credit profiles of financial institutions globally, yet it is a danger that Gulf Cooperation Council (GCC) banks are prioritizing. Over the past two years, there have been no meaningful cyber attacks (or losses) reported by a GCC-based bank. Attacks may have gone unreported, yet they are likely to have been minor incidents given the absence of significant losses in financial reports and the banks' relatively low operational risk capital charges.
Across the global banking industry there was a 34.3% probability that a particular bank will be the target of a cyber attack, as of year-end 2023, according to cyber security specialist Guidewire. Banks and financial companies were the sixth most targeted sector in 2022, with an average of 1,131 average weekly attacks, according to cyber intelligence provider Check Point Research--education/research was No. 1, followed by the government/military, and health care (see chart 1).
Chart 1
GCC banks cyber-related success is no coincidence. The region's banks have invested in infrastructure and systems, including equipment and software, to minimize exposure to cyber risk. That, in turn, reflects the importance that rated GCC banks' senior management and boards place on cyber security, which typically ranks at the top of their agendas according to public disclosures and our interactions with senior figures.
GCC Banks' Cyber Risk Appears Manageable
S&P Global Ratings considers cyber risks for GCC banks to be manageable. This is supported by data from Guidewire, which uses a tail-value-at-risk calculation to measure the average loss for the 40 most severe simulations in its model. That calculation found that rated banks from the GCC might lose an estimated 2.2% of net income and 0.3% of equity, based on December 2023 estimations in the Guidewire model and banks' annualized net income and equity as of September 2023. Guidewire data also suggests that the banks have sufficient operational risk capital buffers to absorb unexpected losses given that operational risk capital buffers represent 12.0x the modeled loss.
We do not incorporate Guidewire's loss estimates in our capital analysis. The estimates do, however, provide us with useful insight as we consider GCC banks' exposure to cyber risk and our overall assessment of their risk position. We also note that Guidewire reports that 94% of the risk stems from the possibility for direct or contingent disruption to a bank's business. Depending on how such a disruption unfolded, we consider that it could affect banks' creditworthiness, for example in case of prolonged business stoppages.
In general, the GCC's exposure to cyber criminality appears to be relatively manageable. According to SOCRadar, a cyber security company, the region accounted for around 2% of posts on the global dark web (a part of the internet that is not indexed by search engines and that requires a specific browser), 1.8% of ransomware attacks, and 0.1% of phishing campaigns from March-2022 to February 2023.
It is noteworthy that 53% of the region's dark web threats, 30% of its ransomware, and 64% of phishing attacks were in the United Arab Emirates (UAE) (see chart 2 and chart 3). According to the country's Cybersecurity Council, the UAE blocked more than 71 million cyber attacks in the first three quarters of 2023.
Chart 2
Chart 3
Rated GCC Banks Haven't Suffered Meaningful Losses From Cyber Incidents
None of the GCC banks that we rate have reported significant monetary loss or reputational damage as a result of cyber incidents in the past two years. What's more, the overall operational risk capital charge under banks' local capital requirements stood at 2.7% on average of banks' total equity at Sept. 30, 2023 (assuming a minimum capital requirement ratio of 8%).
These results are also confirmed by Guidewire estimates that show that rated banks from the GCC might lose between 0.9% and 4.9% of net income and 0.1% and 0.4% of equity based based on December 2023 estimations in the Guidewire model (see chart 4).
Banks that are present in more than one country, or that have significant retail franchises, reported slightly higher charges within our sample of GCC banks (see chart 4). The operational risk capital charge is a useful indicator of risk perception because it is supposed to provide cover for all operational risks, including cyber risk. Nonetheless, we acknowledge that operational risk is based on historical data and may not constitute a good proxy for future risk exposures.
Chart 4
As noted earlier, Guidewire's loss estimations suggests that GCC banks' operational risk capital charges are more than enough to cover the risks posed by cyber threats--at an average 12.0X Guidewire's estimated loss from a theoretical cyber incident (see chart 5). We also note that rated Gulf banks have an average forecast Risk-Adjusted Capital ratio (RAC) of 11.1% for 2024. We consider this to be a strong capitalization that could help them navigate unexpected risks and losses.
Chart 5
Business Interruption Is The Most Important Risk
Despite GCC banks' recent success in avoiding cyber criminality, they can little afford to be complacent given the variety of cyber threats and the frequency of attacks.
Guidewire identifies four principal cyber threats faced by GCC banks, of which business interruption loss is easily the most important, accounting for an estimated 83% of potential losses in 2023. Contingent business interruption loss accounted for an estimated 11% of potential losses, ahead of extortion, and data breaches (see chart 6). That ranking reflects the possibility for significant operational interruption due to the loss of systems, and the potentially large negative impact on banks' reputation and profits, depending on the duration of the event and the speed of recovery.
Data breaches position, at the bottom of Guidewire's cyber risk distribution of loss ranking, reflects its relatively limited potential to generate significant losses per incident. The average total cost of a data breach in the Middle East was $8.1 million in 2023, according to IBM's Cost of a Data Breach Report 2023. That was almost twice the global average of $4.5 million but remains a relatively manageable cost for the GCC's well capitalized banks.
Chart 6
Cyber Risk Tops The Agenda For Rated Banks' Boards And Senior Management
Public disclosures and our interactions with rated banks' senior management suggest a relatively good awareness and prioritization of cyber risk. Rated GCC banks continue to invest in technology, equipment, and staff training to detect and limit exposure to cyber risk. They are also updating policies and investments to account for emerging trends in cyber security. Some GCC banks have communicated publicly on cyber risk related Key Performance Indicators (KPIs) and are tracking their evolution.
No system is perfect, however, and continued investment and adaptation is required to minimize risk. That should include customer education alongside staff education, as the former is also key to minimizing cyber threats. In the UAE, for example, a significant number of phishing emails use banks' logos and prompt customers to provide personal information to avoid account closure, among other actions.
Regulators Are Also Driving Cyber Security
Regulators have an established role in setting the cyber security framework and regulatory requirements for GCC banks. We have seen an expansion of that function with the addition of new initiatives aimed at helping to protect banking systems from cyber threats.
In October 2022, the Saudi Central Bank (SAMA) established a counter-fraud framework to enable banks to effectively identify and address fraud related risks in a standardized manner. That framework comes on top of the country's cyber security framework, issued in 2017, and its Cyber Threat Intelligence Principles, in 2022.
More recently, in February 2024, the UAE Banks Federation (known as the UBF) organized the third edition of its cyber wargames. The event was attended by, among others, representatives from banks, financial technology institutions, and cyber security experts. The exercise was supervised by the Central Bank of UAE and the UAE government's Cyber Security Council.
How Cyber Risk Can Effect Banks' Ratings
We factor cyber risk into our assessment of banks' business stability, capitalization, and risk management adequacy. In extreme scenarios, cyber risk could have negative implications on banks' profitability, notably depending on the duration of a cyber security event and the speed of recovery. Cyber threats could also impact liquidity, for example through a sudden outflow of funds that leads to liquidity pressure.
We also note that cyber risks evolve rapidly and require continued monitoring, training, and investment in defenses if banks are to remain protected. And we recognize that no system can fully protect against unexpected-event risk.
Related Research
- GCC Banking Sector Outlook 2024: A Relative Bright Spot Among Emerging Markets, Jan. 31, 2024
- Gulf Banks' Strong Capitalization Supports Resilience To Cyber Risk, May 16, 2022
This report does not constitute a rating action.
Primary Credit Analyst: | Mohamed Damak, Dubai + 97143727153; mohamed.damak@spglobal.com |
Secondary Contact: | Dhruv Roy, Dubai + 971(0)56 413 3480; dhruv.roy@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.